Why Azure Managed HSM doesn't trust Azure Resource Manager.

Glenn Hunter 125 Reputation points Microsoft Employee
2024-01-31T13:55:10.36+00:00

Hi
"Azure Managed HSM doesn't trust Azure Resource Manager by default. However, for environments where such risk is an acceptable tradeoff for the ease of use of the Azure portal and template deployments, Managed HSM offers a way for an administrator to opt in to this trust." https://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/authorize-azure-resource-manager Customer would like to understand in more detail the following: Why shouldn't mHSM trust ARM?, Could you please describe the risk with turning this on (in relation with mHSM). what specifically breaks and specific behavior if I don't enable this feature?. What would be the specific pros and cons? Many thanks

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,342 questions
Azure Dedicated HSM
Azure Dedicated HSM
An Azure service that provides hardware security module management.
31 questions
0 comments No comments
{count} votes

Accepted answer
  1. Marilee Turscak-MSFT 37,046 Reputation points Microsoft Employee
    2024-02-02T01:01:37.62+00:00

    Hi @Glenn Hunter ,

    I started an internal thread about this topic with the engineering team so that we can get more specific potential scenarios, and since I see that you are internal you can feel free to reach out to me. We can update this thread with additional information that we receive.

    However, the documentation also indicates that ARM is a higher assurance service with some high impact behaviors that could result in increased security considerations. My understanding of this is that this is from a security best practice and compliance perspective, since you could potentially be managing sensitive resources via automation.

    References:

    https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/overview

    https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/azure-resource-manager-security-baseline

    Feel free to reach out to me on Teams though. For future reference, I would recommend checking in the Azure Managed HSM internal channels for these types of questions.


1 additional answer

Sort by: Most helpful
  1. Glenn Hunter 125 Reputation points Microsoft Employee
    2024-02-08T14:11:32.6433333+00:00

    Hi All, I got a response back directly from the mHSM product manager with the following: By trusting ARM, it means MHSM will trust identities passed from ARM to MHSM. So if ARM gets hacked, it could be used to access MHSMs and get them to do unauthorized things. Essentially the risk with utilizing ARM is that the customer would be expanding the trust zone to ARM, which is not in confidential computing.  If ARM is not enabled, you can't use template deployments to create keys and certain UX flows where keys are created indirectly won't work from the portal. However, there are work arounds for all of these like just creating keys ahead of time. The main "pro" of ARM is convenience. The customer can decide if the "con" of the trust risk is an acceptable tradeoff. Many thanks

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.